| IPv6 Autoconfiguration Plug & Play Dream or Security Nightmare |
| Review of IPv6 Autoconfig |
| Defined in RFC 2461 | |||
| All hosts implicitly have an IPv6 Link-Local address for each interface they have |
|||
| Host ÒI have a NIC, therefore I amÓ | |||
| FE08::(EIU-64) | |||
| Simple Corollary: therefore, a host without a NIC, is a non-entity | |||
| Review of IPv6 Autoconfig |
| Other network information obtained from the Router(s) on the local network | |||
| Host ÒIs there a router in the houseÓ | |||
| ICMPv6 Type 133 – Router Solicitation | |||
| Router ÒIÕm a router and here are the prefixs you can useÓ optionally Ò, and go talk to the DHCPv6 serverÓ | |||
| ICMPv6 Type 134 – Router Advertisement | |||
| Review of IPv6 Autoconfig |
| The host combines the prefix information with a host address portion to form an IPv6 Address | ||
| Multiple Types of Host Addresses | ||
| IPv6 Address Types |
| Stateless (EUI-64) | ||
| RFC 2462 | ||
| Privacy Extensions (pseudorandom) | ||
| RFC 3041 | ||
| Stateful (DHCPv6) | ||
| RFC 3315 | ||
| So whatÕs the problem? |
| Well do you know the devices that says itÕs the router is really suppose to be the router? | |
| If you get multiple answers (which you can) which is the right one? | |
| So whatÕs the problem? |
| It could be a miss-configured host | ||
| LINUX, Widows, or what ever | ||
| Maybe with a tunnel that it want to HELP! other people use | ||
| More scary, could be a BAD guy claiming to be a router | ||
| Trying to setup a man-in-the-middle attack | ||
| But IÕm not running IPv6! |
| Are you sure? | ||
| OSes are coming with IPv6 by default | ||
| Windows Vista | ||
| Mac OSX | ||
| Many LINUX | ||
| Many other UNIX | ||
| But IÕm not running IPv6! |
| So you probably have hosts asking for an IPv6 router on your network right now | ||
| All you need is a missconfigured host or a bad guy on your network and your hosts are doing IPv6 | ||
| What about SEND? IPv6 Secure Neighbor Discovery |
| RFC 3971 | |||
| It will Secure this, and more! | |||
| But!!!! | |||
| There are not many, if any, implementations | |||
| Certs & PKI | |||
| Do I need to say more | |||
| What about SEND? IPv6 Secure Neighbor Discovery |
| Will work in a well controlled mostly closed network | ||
| Not the definition of your typical University Network | ||
| Probably not workable on a visitor or guest network even if your primary network is securable in this way | ||
| A Solution |
| Block IPv6 Router Advertisements on ingress to access switch port for hosts | |||
| Can be done today with Cisco 3750,
3750-E, 3560, and 3560-E switches |
|||
| IOS 12.2(25)SED Advanced IP Services (only) or greater code | |||
| I tested on 3750s with 12.2(40)SE AdvIPServ | |||
| IOS Config Snip |
| A Different Problem |
| I said ÒAdvanced IP ServicesÓ | |||
| The upgrade from ÒIP BaseÓ is $6,995 list per switch | |||
| We have about 3500 – 3750G-24TS | |||
| This is about $24M list | |||
| WeÕre talking to to the 3750 Business Unit at Cisco | |||
| Other Solutions |
| Turn off IPv6 on your host if your not using it | ||
| Not a great solution | ||
| Not a solution at all, if you need/want to do IPv6 | ||
| But can you really insure that you have done this | ||
| Other Solutions |
| Monitor for bogus IPv6 Router Advertisements | |||
| Ala XArp type IPv4 ARP monitoring software | |||
| IPv6 Routers would be perfect device to do this, track the other router | |||
| maybe even do an SMNP trap – maybe not | |||
| Talk to you Switch Vendor |
| We all need to be talking to our Vendors | |
| Talk to them about how you want IPv6 to work 1,2, or 3 years from now | |
| Make IPv6 a requirement in all your purchases | |
| Test the features | |
| IPv6 Support Priority List
for Vendors |
| Basic Functionality – you can pass IPv6 at all | |
| Security – Comparable security feature to IPv4 | |
| IPv6 manageability | |
| Full IPv4 feature parity |
| IPv6 Access Switch Features |
| IPv6 Aware Layer2 ACLs | |
| DHCPv6 Snooping | |
| IPv6 Neighbor Discovery Validation | |
| MLD2 Snooping | |
| IPv6 Aware QOS features | |
| Conclusion |
| Start thinking about IPv6 as part of your normal network | |
| Think about it in the same ways as IPv4 | |
| However, take the opportunity to rethink how you are doing your normal networking | |
| Talk to your Vendors early and often |